A Femto Cell is a tiny little home router which boosts the 3G Phone signal. It’s available from the Vodafone Store to any customer for 160 GBP.

THC managed to reverse engineer – a process of revealing the secrets – of the equipment. THC is now able to turn this Femto Cell into a full blown 3G/UMTC/WCDMA interception device.

A Femto is linked to the Vodafone core network via your home Internet connection. The Femto uses this access to retrieve the secret key material of a Vodafone customer who wants to use the Femto.

THC found a way to circumvent this and to allow any subscriber – even those not registered with the Femto – to use the Femto. They turned it into an IMSI grabber. The attacker has to be within 50m range of the UK Vodafone customer to make the customer’s phone use the attacker’s femto.

The second vulnerability is that Vodafone grants the femto to the Vodafone Core Network HLR /AuC which store the secret subscriber information. This means an attacker with administrator access to the Femto can request the secret key material of a UK Vodafone Mobile Phone User.

This is exactly what happened. The group gained administrator access to the Femto. An attacker can now retrieve the secret key material of other Vodafone customers.

This secret key material enables an attacker to listen to other people’s phone calls and to impersonate the victim’s phone, to make phone calls on the victim’s cost and access the victim’s voice mail.

This is clearly a design flaw by Vodafone. It is disgusting to see that a major player like Vodafone chooses ‘newsys’ as the administrator password, thus allowing anyone to retrieve secret data of other people.